Are there any security issues leaving the PDB debug files on the live servers?

Question

Are there any security issues keeping the .NET PDB files on the real server?

I know that throwing exceptions might take a bit longer , but who throws exceptions duri

Answer 1

If you present failing exceptions to the end-user (aka in Yellow Screen of Death), then it might pose a risk of attacker a getting better insight into your system.

One of the possible solutions - to have an exception handling policy that:

1. Logs all exceptions with the original stack trace, additional information and a unique exception ID (Guid).
2. Replaces fired exception with a wrapper that contains only exception ID (for reference and feedback) and sanitized message (i.e.: no connection strings) with discarded stack trace info.

Examples of Open Source Exception handling blocks in .NET:

• From Lokad

• From Microsoft

• Theory